Zero Trust Compliance Auditor / Engineer (Assessor)

Job DescriptionJob Description

Zero Trust (ZT) Compliance Auditor / Engineer (Assessor)

MILITARY FRIENDLY & - HOH SPONSOR

Zermount Inc. is seeking a ZT Compliance Auditor / Engineer who plays a critical role in evaluating, assessing, and ensuring the organization's adherence to ZT security principles and compliance requirements. You will be responsible for evaluating the effectiveness of the implementation of ZT principles, associated controls, identifying vulnerabilities, and recommend remediation measures to enhance the organization's ZT maturity level and overall security posture. You will be involved in assisting in the engineering and recommending ZT solutions to meet compliance standards and strengthen the organization's security infrastructure.

Duties & Responsibilities:

• Conduct comprehensive security compliance assessments based on ZT principles, industry frameworks (e.g., NIST SP 800-207, CISA Maturity Model, Technical Reference Architectures, etc.), and relevant regulatory requirements.
• Evaluate the organization's adherence to ZT tenets and pillars, including strict access controls, least privilege access, network segmentation, continuous monitoring, multifactor authentication (MFA), data security, etc.
• Review policies, procedures, and technical controls to identify gaps, non-compliance issues, and potential security vulnerabilities specific to ZT architecture (ZTA).
• Perform audits of IT systems, networks, and applications to assess compliance with established ZT principles and associated controls and evaluate their effectiveness. Evaluate the effectiveness of ZT security mechanisms, including network segmentation, access policies, , and access management (IAM), and encryption protocols.
• Collaborate with cross-functional teams to engineer and recommend ZT solutions, such as software-defined perimeters (SDPs), ZT Network Access (ZTNA), and IAM systems, Secure Access Services Edge (SASE), etc.
• Conduct technical vulnerability assessments and configuration testing specific to ZT principles and maturity model requirements to identify potential security weaknesses and recommend remediation measures.
• Document audit findings, observations, and recommendations related to ZT compliance in clear and concise reports.
• Provide actionable / risk-based recommendations for improving the implementation of ZT principles and associated controls, addressing non-compliance issues, and enhancing the overall ZT maturity level and security posture.
• Collaborate with stakeholders to ensure proper documentation and tracking of identified vulnerabilities and the progress of remediation activities.
• Collaborate with IT teams, System Owners, and ISSOs to develop and implement remediation plans for identified ZT security vulnerabilities and non-compliance issues. Assist in the design of ZT capabilities and processes to mitigate risks, enhance compliance, and strengthen the organization's security posture.
• Provide guidance / support to stakeholders in remediating ZT gaps, security issues and improving compliance status.
• Review and assess the organization's IT / Cybersecurity policies, procedures, and standards to ensure alignment with ZT requirements, industry best practices, regulatory requirements, and evolving threat landscape.
• Participate in the development and revision of IT / Cybersecurity policies and standards to ensure the incorporation of ZT principles as needed, ensuring they address the client's needs and emerging security challenges.
• Stay up to date with emerging threats, vulnerabilities, and regulatory changes that may impact the organization's ZT maturity level and overall security posture and compliance requirements.
• Review Requests for Change (RFC) / upgrades, provide impacts on changes related to ZT. Analyze and Document:
  • Assist in the assessment of scope and extent that such changes support ZT mandates; and
  • Assess the ZTA and configuration changes made by the Organization O&M team(s).
• Conduct ZT reviews and assessments of all existing cybersecurity and IT capabilities for all the organizations systems and the Enterprise. Prepare a Readiness Assessment Report and any mitigations or recommendations. Conduct a gap analysis and identify gaps in existing capabilities compliance with RMF mandates. Incorporate approved changes into the Organization's roadmap established with the CIO ZT Plan, IMS, and other applicable documentation.
• Evaluate emerging technologies being considered by the Organization, conduct an analysis of alternatives (AoA) to determine compliance with federal mandates and requirements.
• Support assessments of plans, designs, technical concepts, implementation approaches, standards compliance, business and technical tradeoffs, and risk analyses.
• Review existing network infrastructure and coordinate with other stakeholders and contractors to perform a network assessment that includes but is not limited to reviewing existing circuits, connection types, bandwidth, types of traffic, and routing protocols.
• Perform complex risk analyses which also include risk assessment to identify compliance with federal requirements (e.g., EO 14028, OMB M 22-09, M21-31, A-130, TIC 3.0, NIST SP 800-37, 800-53, FIPS 199, and FIPS-200, etc.), and security requirements based upon the analysis of people, processes, and technologies.
• In view of the remote nature of the contract, an individual Weekly Status Report (WSR) and WSR Briefing are required for tasks assigned. Must effectively develop WSRs, that are consistent, well structured, answer to all the assigned management requirements, aligned with area of support, and are relevant to the reporting period.
• Must ensure deliverables meet a level of accuracy that does not require "return for correction" for typographical and grammatical errors. (Repetitive requests for correction by the management or Government team may result in a determination of failing to meet the basic standards for professional writing, reporting, accuracy, quality, and completeness of the contractual requirements for deliverables).
• Prepare briefings / reports and present and explain in detail to management and/or government client.
• Assist and support as required and as directed by the Program Manager.

.Qualifications:

• 5 years minimum of IT / Cybersecurity experience including direct support of the US government and 3 years as an ISSO, assessor, engineer, or compliance analyst. 7 years if the candidate does not have a bachelor's degree.
• Experience and knowledge of Executive Orders (EO's) (e.g., EO 14028), Office of Management and Budget (OMB) Memorandums (e.g., M 22-09, M 21-31), Federal, DoD and CISA Technical Reference Architectures, Maturity Models, NIST guidance, FISMA, Cloud, and Risk Management Framework (RMF).
• Strong understanding of ZT principles and how they can be applied to various types of information systems.
• Proficient in risk assessment methodologies and security architecture frameworks.
• Experience with cloud-based environments and technologies.
• Knowledge of common cybersecurity threats, risks, and vulnerabilities and how to mitigate them.
• Excellent communication skills, with the ability to explain complex concepts in a clear, concise manner.
• Technical knowledge of IT systems and implementation of security controls.
• Strong problem-solving skills, proactive attitude towards identifying potential issues and implementing solutions.
• Must be able to conduct system analysis to detect issues with performance.
• Well versed in developing and implementing IT solutions to resolve technical challenges.
• Ability to work independently and as part of a team.

Education:

• Minimum of a Bachelor of Science (or higher) in one of the following: computer engineering, computer science, IT, cyber security, or a related field.
  • Relevant years of experience may be used in substitution for a required degree.

Certifications:

• A minimum of at least one of the following certifications is required: Certified Authorization Professional (CAP), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certificate of Cloud Security Knowledge (CCSK), Certified Chief Information Security Officer (CCISO), or any certification compliant with DoD 8570 IAT Level II or higher.

Clearance level:

• Minimum of an active Secret Clearance.

Work Location:

• Hybrid - Primarily Remote. ( Onsite work in Springfield, VA or Arlington, VA may be occasionally required).

Hours of Operation:

• Business Hours: 8:00 am EST - 4:30 pm EST.

Benefit Package:

• Performance Bonuses: Based on your performance (e.g., annual, significant contributions)
• Benefits: Standard, Zermount, provided benefits for salaried-exempt employees, including the following:
  • 401(k) retirement account
  • Education assistance (e.g., training, certifications, degree) - $10,000 annually
  • Health, dental, vision, life, AD&D, and insurance
  • Personal Time Off (PTO) - 15 days
  • Federal Holidays - 11 days